In the past two weeks, four publicly-documented events made the AI agent attack surface concrete in a way vendor marketing usually obscures. They share a single structural property: the agent's trust model is wrong, and the consequences are now measurable.
The exposure count tripled in nine months
Trend Micro's 2026-04-28 update on exposed MCP servers reports the population grew from 492 (July 2025) to 1,467 — a near-tripling over nine months. Seventy-four percent are hosted on AWS, Azure, GCP, or Oracle. Per Trend Micro, exposed MCP servers "have become powerful vectors for cloud attacks, enabling threat actors to not only access sensitive data but also take control of the cloud services themselves."
The attack chain is mundane and operationally serious. A command-injection bug in a community-maintained MCP server like aws-mcp-server (CVE-2026-5058, CVSS 9.8) lets an attacker execute as the EC2 instance the MCP process runs on. That process queries the EC2 instance metadata service for the role's temporary credentials. From there: S3, DynamoDB, Lambda, IAM user creation, EC2 launches for persistence. Classic IMDS credential theft via a new entry point, not novel cloud-attack tradecraft.
The structural fact is that MCP servers were designed for localhost/stdio and got bound to 0.0.0.0 over a deprecated SSE transport because that's what "make it work over HTTP" looked like to the people deploying them.
Three database-wrapper MCPs, one structural failure mode
On 2026-05-13, Akamai researcher Tomer Peled disclosed three vulnerabilities in MCP servers that wrap analytical databases. The pattern is consistent across all three.
Apache Doris MCP (CVE-2025-66335). The exec_query tool wraps a SQL execution surface. The db_name parameter is unsanitized; a downstream SQL validator only inspects the first portion of the constructed query and therefore sees only the attacker-controlled prefix. Patched in doris-mcp-server 0.6.1.
StarTree mcp-pinot (issue #90, unpatched at disclosure). Verbatim from Peled's filing: "By default the server is binding to 0.0.0.0 and OAuth is off by default." The read_query tool's validation is one line — if not query.strip().upper().startswith("SELECT"): raise ValueError(...) — trivially bypassed via UNION, stacked queries, or comments. StarTree later added OAuth-over-HTTP, but the SQLi in read_query remains.
Alibaba Cloud RDS MCP (no CVE). Unauthenticated access to the RAG retrieval tool. Alibaba classified the issue as "not applicable" for a fix.
All three share one failure mode: the MCP tool wraps a SQL-execution surface and inherits the trust model of the AI agent instead of the database. The validator-as-theatre pattern (Doris), the transport-without-auth pattern (Pinot), and the RAG-as-side-door pattern (Alibaba) are different surface manifestations of the same trust-boundary error.
Sandbox isolation as a checkbox
CVE-2026-42302, disclosed 2026-05-08, is the cleanest single-CVE artifact of the month. FastGPT's agent-sandbox entrypoint.sh launches code-server with --auth none bound to 0.0.0.0:8080. Any network-reachable attacker gets unauthenticated remote code execution. CVSS 9.8. Affects FastGPT 4.14.10–4.14.12, patched in 4.14.13 (GHSA-34rc-438g-7w78).
The sandbox component existed because someone designed isolation into the product. The --auth none flag was a deployment choice that nullified it. Sandbox-as-checkbox is not isolation.
The shadow-AI class shows up on Form 8-K
On 2026-05-12, The Register reported that a US commercial bank self-disclosed to the SEC: employees fed customer data — including Social Security Numbers — into an unauthorized third-party AI application, outside the bank's approved systems.
Notice what this isn't. It isn't a framework CVE. It isn't a misconfigured MCP server. It isn't a sandbox that lost its --auth. The agent attack surface here is the absence of a sanctioned alternative — employees route work to an unapproved tool because the sanctioned path is slower than the deadline.
The bank's disclosure puts shadow AI in the regulatory record. That's the first thing about the SEC filing that matters. The second thing is that it forces every CISO of a federally-regulated firm to assume the same path exists in their org.
What this means for any operator
Across all four events, three things are simultaneously true:
The agent's trust model is wrong. MCP servers inherit the agent's authority, not the database's; agent sandboxes inherit the deployer's network config, not the threat model; shadow-AI tools inherit the employee's session credentials.
Vendor responsibility is asymmetric. Doris shipped a patch in master in December 2025. StarTree fixed half the problem. Alibaba returned "not applicable." When the same class of vulnerability is a CVE for an open-source ASF project and out-of-scope for a hyperscaler SKU, operators absorb the asymmetry.
The detection surfaces don't compose yet. Endpoint probing catches handler-side bugs. Chain reading catches declaration-versus-behavior drift. DLP catches employee exfiltration. None of those tools see the others' artifacts.
What to test now
For the MCP class:
- Probe every MCP tool that wraps a SQL surface for parameter injection (Doris pattern, Pinot pattern).
- Test whether tool registration accepts admin overrides without authentication (Alibaba pattern).
- Audit deployment scripts for
--auth none,0.0.0.0binds, and SSE transport (FastGPT pattern, Trend Micro at scale).
For the governance class:
- Inventory unapproved AI tools your workforce already uses. The number is non-zero.
- Map each sanctioned tool to a maximum data-class permitted; refuse SSN/PHI/PCI exposure on tools that aren't certified for it.
- Treat shadow AI as a sanctioned-alternative gap, not a discipline failure.
Identify and revoke
When a managed-plane vendor declares unauthenticated access to a RAG retrieval tool "not applicable," the operator response isn't to rotate credentials. There is nothing to rotate. The response is to identify which agent workflows route through that surface and revoke the trust the workflow assumed it had — until the vendor's posture changes or the workflow migrates.
When an employee posts customer SSNs to an unapproved AI app, the response isn't to retrain the employee. The trust boundary the employee bypassed was tooling-shaped, not training-shaped. The response is to identify the gap in the sanctioned toolset and close it — and revoke the workforce's reliance on a tool the firm cannot audit.
MCP database servers ship the database's blast radius with the agent's trust model. The four events of the past two weeks make that fact citable.
Saleme, Michael K. — ORCID 0009-0003-6736-1900
Open-source artifacts referenced: agent-security-harness (github.com/msaleme/red-team-blue-team-agent-fabric, 470 tests covering MCP, A2A, x402, L402 — direct mappings: MCP-001, MCP-003, MCP-010, MCP-015, MCP-016, CREW-001, CREW-010, AUTH-001, DATA-001, DATA-003, IR-007). constitutional-agent (github.com/CognitiveThoughtEngine/constitutional-agent-governance, HC-6, HC-12, GovernanceGate, EpistemicGate).
Top comments (0)